Tag: Threat Watch – Binary Defense

Read the original article: Rumored Zero-Day Exploit for Zoom Offered for $500,000 According to multiple researchers, unnamed threat actors operating on underground markets have offered to sell exploits for vulnerabilities that they claim exist in the Zoom client for Windows…

Read more →

Read the original article: One of the World’s Largest Shipping Companies Hit by Suspected Cyber-Attack Late last week, the servers at the headquarters for the Mediterranean Shipping Company (MSC) in Geneva, Switzerland had to be taken offline and still remain…

Read more →

Read the original article: Nemty Ransomware Operation Goes Private The operator behind the Nemty ransomware has announced that the group will no longer be running as a service for other criminals, choosing instead to go private. This means that the…

Read more →

Read the original article: MBRLocker Ransomware on Rise, Taunts Researchers Researchers at SentinelLabs have recently reported a surge of MBRLocker variant malware.  MBRLocker malware overwrites the Master Boot Record (MBR), which handles booting the operating system on startup.  By modifying…

Read more →

Read the original article: Microsoft Patch Tuesday Takes Care of Three Zero Days April’s Patch Tuesday this year was a rather large one with 113 different patches released that deal with vulnerabilities on 11 products, including three zero-day bugs in…

Read more →

Read the original article: Ragnar Locker Ransomware Hits Portuguese Energy Giant Attackers using the Ragnar Locker ransomware have successfully encrypted the systems of the Portuguese multinational energy giant Energias de Portugal (EDP) and are now demanding 1,580 in Bitcoin ($10.9…

Read more →

Dutch law enforcement shut down several DDoS-for-hire service providers recently. DDoS-for-hire is a destructive service offered by cybercriminals that allows anyone with enough money to hire a botnet to perform a Distributed Denial of Service (DDoS) attack against a chosen…

Read more →

Researchers discovered a cyber-criminal selling over 500,000 Zoom user accounts on a Darknet forum. The accounts ranged from being given away for free to less than a penny per account. According to the researchers, the accounts were not compromised through…

Read more →

Roughly four million accounts for the online marketplace Quidd have been posted for free on multiple hacking forums. According to ZDNet sources, the original breach is credited to someone going by the alias “ProTag” and has been privately advertised for…

Read more →

Sodinokibi: The threat group that is behind the Sodinokibi ransomware left a message on their website announcing that they will begin to accept Monero cryptocurrency for victims to pay their extortion demands and begin to move away from Bitcoin. As…

Read more →

Customers at the State Bank of India (SBI) were warned of a new campaign being carried out that involves attackers creating a web page that looks identical to that of the real bank website. The domain, http://www.onlinesbi[.]digital, requests users to…

Read more →

An old scare tactic has been reenergized and is on the rise again. Attackers are circulating emails that state that the recipient’s computer was hacked, a video was taken through the victim’s webcam while viewing an adult website and the…

Read more →

China: A report by Blackberry found that many Linux servers are being attacked by Chinese state-backed threat actors and have been for roughly ten years. Although only 1.7% of all operating systems across workstations and servers are Linux based, Linux…

Read more →

The customer engagement platform Maropost recently leaked 95 million records by way of an unsecured Google cloud server. The issue was found in early February and the server was secured on April 1st. Maropost CEO Ross Andrew Paquette claimed that…

Read more →

In another COVID-19 scam, the email security firm Inky has found emails that are impersonating President Trump and Vice President Mike Pence. The emails state that they are the latest “Coronavirus Guidelines for America” and prompts the recipient to click…

Read more →

In February, Mike O’Connor expressed interest in selling the “corp.com” domain with hopes that Microsoft would buy it. In early versions of Windows that supported Active Directory, the default or example domain was “corp.” This domain would be particularly dangerous…

Read more →

DarkHotel: A campaign targeting over 200 VPN servers have been uncovered by the Chinese firm Qihoo 360. It is believed that the campaign is currently being carried out to target a number of Chinese institutions and government agencies. The campaign…

Read more →

new botnet named “Dark_nexus” that compromises Internet-of-Things (IoT) devices appeared about three months ago and has taken control of at least 1,300 bots so far, according to researchers from Bitdefender. The malware code contains some references to other well-known botnet…

Read more →

With increased numbers of remote workers installing video conferencing applications, attackers have found a new way to spread their malicious programs. Researchers have found that attackers are creating installers for Zoom video conferencing that also install malware. The researchers at…

Read more →

Last week, security researcher Ryan Pickren published a blog post detailing many bugs in the Safari browser for Mac and iOS. Pickren noticed that when viewing the currently-open websites, Safari was ignoring the URI scheme (http://, https://, ftp://). After experimenting…

Read more →

Originally posted by user @Dashowl and confirmed by Vitali Kremez of SentinelLabs, ten new modules used by the TrickBot malware have been uncovered, adding or updating some dangerous features to its capabilities. TrickBot continues to be a serious threat to…

Read more →

Anonymous (OpIsrael): Research by Binary Defense analysts indicates that the Anonymous Collective has been carrying out a much smaller build-up to their annual April 7th “OpIsrael” campaign than usual this year. OpIsrael is one of the few remaining operations by…

Read more →

Over the course of the past two weeks, an unknown hacker has been breaking into unprotected Elasticsearch servers and deleting all of the data. These attacks seem to have started around March 24th according to security researcher John Wethington. It…

Read more →

Magecart Group 7: Researchers at RiskIQ have outlined a new Magecart campaign they found affecting at least 19 e-commerce sites, which they have attributed to Magecart Group 7. Magecart is the umbrella term for multiple threat actors that compromise e-commerce…

Read more →

With schools closed, some students are having fun creating malware to keep themselves occupied. Such appears to be the case with a variety of new MBRLocker variants being released, including one with a coronavirus theme. MBRLockers are programs that replace…

Read more →

A new campaign has been discovered which is leveraging Excel files encrypted using the default password “VelvetSweatshop” to infect machines with LimeRAT. The technique of setting an Excel file to “read-only” using the default password to encrypt an Excel file…

Read more →

The video conferencing app Zoom has exploded in popularity with much of the world beginning to work from home. With the recent rise in popularity, however, came increased scrutiny and the attention of security researchers. In response to recent concerns…

Read more →

Researchers at Kaspersky have released a technical analysis report detailing a malware packer named Loncom. This packer uses NSIS software for packing and loading shellcode and has been seen loading malware used by Advanced Persistent Threat (APT) groups. Microsoft’s Crypto…

Read more →

Marriott International, a huge international hotel chain, has released information on a data breach that has affected roughly 5.2 million guests. In the release, they stated that at the end of February 2020, Marriott noticed that an “unexpected amount of…

Read more →

Video conferencing services, including Zoom, have become increasingly popular since many more employees are working remotely. Security researcher @_g0dmode is credited for discovering a potential attack vector against Zoom users that was later verified by UK security researcher Matthew Hickey.…

Read more →

APT37/Geumseong121: A Microsoft operation in December 2019 took down 50 websites known to be affiliated with North Korean threat group APT37. According to researchers from South Korea-based security company ESTsecurity Response Center (ESRC), they have now found a new campaign…

Read more →

Unknown: A currently unknown hacker has taken over multiple YouTube accounts and renamed them to match Microsoft brand names. The accounts, with names including Microsoft News and Microsoft US, were used to post crypto-currency investment videos featuring a speech given…

Read more →

According to ZDNet, the source code for Dharma has been posted for sale on two forums for just $2,000. Considering how much money criminals have extorted using Dharma, this represents a very low price for the source code. From November…

Read more →

The makers of Houseparty, a social media app used for conference video calls are offering a reward of $1,000,000 USD to anyone able to unmask the entity behind what they allege is an ongoing smear campaign. Many posts on social…

Read more →

New scams involving the Coronavirus continue to arrive on a daily basis. This specific campaign involves a threat actor posing as someone who works at a nearby hospital. The email states that the recipient has been in contact with someone…

Read more →

AppRiver recently discovered a phishing campaign that targets remote workers using emails appearing to be from their company’s IT department. The email stated that the IT department was in the process of building a portal that allows employees to keep…

Read more →

Silence/TA505: Malware samples uploaded to VirusTotal in early February are believed to have been used in attacks against pharmaceutical and manufacturing companies in Europe. The uploaded samples were identified as “Silence.ProxyBot” and updated versions of “Silence.MainModule,” leading researchers to attribute…

Read more →

Maze: The website utilized by the Maze ransomware group has added Chubb, a cybersecurity insurance provider, to their list of claimed victims. Currently, the listing only shows the company name and contact information for three senior executives—sample data is listed…

Read more →

Threat actors behind the WP-VCD family of WordPress infections have started to distribute modified versions of Coronavirus-themed plugins. These plugins create backdoors on infected sites and are designed to display popups, redirect visitors, or inject malicious advertisements in attempts to…

Read more →

Analysts at Dr. Web, a Russian anti-virus company, have uncovered a campaign that has tricked victims into downloading malware disguised as a Google Chrome update. Using multiple compromised WordPress sites, the threat actor embedded a JavaScript redirection script, sending visitors…

Read more →

One of the world’s largest free Dark Web hosting providers, Daniel’s Hosting (DH), decided to suspend operations after it was hacked for the second time in 16 months. The provider’s entire database was deleted, causing 7,600 dark web portals to…

Read more →

The world-famous storage solution provider Tupperware has had its website compromised by attackers to steal credit card payment details at checkout. Discovered by Malwarebytes researchers, the cybercriminals used a method that is different than recent attacks against online shopping checkout…

Read more →

A new remote access trojan (RAT) name Milum, which had no similarities to any other known malware, was discovered in a campaign targeting organizations in the Middle East. The campaign has been dubbed WildPressure and appears to have started in…

Read more →

Over the last few days, some members of the BleepingComputer forum began to report their web browser opening on its own and displaying a message for the user to download malware disguised as a “COVID-19 Inform App,” which falsely claimed…

Read more →

Analysts at FireEye have identified a massive campaign run by the Chinese-backed APT41 threat group targeting multiple business sectors. This campaign leverages many vulnerabilities in products typically used by businesses in order to gain a foothold on enterprise systems. The…

Read more →

DarkHotel: The World Health Organization (WHO) has been dealing with a significant increase in cyber-attacks while also attempting to deal with the current COVID-19 pandemic. According to officials at the WHO, the number of cyber-attacks targeting the agency has doubled…

Read more →

Microsoft released a security advisory stating that they are aware of a Type 1 font parsing remote code execution (RCE) vulnerability affecting all versions of Windows, including Windows Server. The bugs exist when Adobe Type Manager Library improperly handles a…

Read more →

The MalwareHunterTeam has identified another attack that is using the Corona Virus as a way to trick people into downloading malicious software. They identified the site “antivirus-covid19[.]site” that pretends to provide anti-virus software for a donation. If someone clicks the…

Read more →

While hunting for malware on VirusTotal on March 20th, Binary Defense analysts discovered a fully functioning copy of CobaltStrike 4.0 which apparently had been cracked to remove its software licensing restrictions. On March 21st, a Chinese software pirate published an…

Read more →

After the March 10th Patch Tuesday update, many Windows users began to question a Windows Defender notification telling them that certain files had been skipped during a scan. Windows Defender has a feature that gives administrators the choice to exclude…

Read more →

Maze: The operators behind the Maze ransomware appear to have already gone back on their word after promising not to target medical facilities during the global COVID-19 pandemic. Last week, the criminal groups that use Maze and DoppelPaymer stated that…

Read more →

Recently VMWare released a patch for the flaw tracked as CVE-2020-3950 that affected Fusion, Remote Console (VMRC) and Horizon Client for Mac. However, while the vulnerability has been fixed for VMRC and Horizon Client, the patch does not completely fix…

Read more →

TA505: A new attack, believed to be attributed to the threat group TA505, is targeting Human Resource departments within organizations located in Germany. Using Business Email Compromise (BEC) style of phishing attacks, the group is utilizing trojanized disk image files…

Read more →

The Canadian Internet Service Provider (ISP) Rogers Communication has started to notify customers of a data breach that exposed personal information due to an unsecured database. In the notification posted to their site, Rogers Communications stated that they learned of…

Read more →

CERT France has released an alert this week regarding a new variant of the Mespinoza ransomware strain, also known as Pysa. The operators of this ransomware, who previously attacked large businesses, have now started targeting French government organizations. Using brute-force…

Read more →

According to a security bulletin by Trend Micro, multiple critical vulnerabilities were recently discovered with the company’s Apex One and OfficeScan XG products. Two of the vulnerabilities (CVE-2020-8467 and CVE-2020-8468) were considered to be zero-days due to observed exploit attempts…

Read more →

Lawrence Abrams of Bleeping Computer reached out to the operators behind some of the most prevalent ransomware this week. His question was a simple one: “Will you continue to target health and medical organizations during the COVID-19 pandemic?” So far…

Read more →

A new ransomware, named Nefilim, has been found and appears to have been active since February 2020. Nefilim shares much of the same code as the Nemty ransomware but has removed the ransomware-as-a-service component and has also changed to using…

Read more →

Magecart: TrueFire, which is an online tutoring website that teaches guitar, has alerted its customers that their data was exposed to unauthorized parties. TrueFire stated that they do not store credit card information on their website, but threat actors managed…

Read more →

APT36/Pakistan: Pakistani-linked APT36 is using spear phishing to take advantage of the current coronavirus news to spread malware dubbed Crimson RAT. Crimson RAT can steal credentials from browsers, capture screenshots, collect anti-virus software information, and list the running processes, drives,…

Read more →

On March 17th, VMware released security updates that dealt with Denial-of-Service (DoS) and high severity privilege escalations in VMware Workstation, Fusion, VMware Remote Console, and Horizon Chat. The two flaws, tracked as CVE-2020-3950 and CVE-2020-3951, are believed to come from…

Read more →

Researchers at DomainTools have identified a malicious domain (coronavirusapp[.]site) that is used to trick victims into downloading a malicious Android app. While this app claims to provide real-time tracking and statistics about the Coronavirus outbreak, in reality, the only thing…

Read more →

In 2016 Argentina’s government chose to enact legislation that made digital transmissions of their Boletín Oficial, or Official Gazette, legally valid because of their trust in the blockchain technology used to authenticate its transmission. That trust was exploited recently when…

Read more →

Evan Custodio, a researcher using the HackerOne bug bounty platform, reported a critical vulnerability to Slack in November of 2019. Custodio’s finding was an HTTP smuggling attack. This type of attack can arise when a front-end server or application forwards…

Read more →

Over the weekend, researchers from Comparitech discovered a large database that contains millions of records about European customers left unsecured on Amazon Web Service (AWS). A total of eight million records that belong to companies including Amazon, eBay, Shopify, PayPal,…

Read more →

Ancient Tortoise: Ancient Tortoise, a Business Email Compromise (BEC) cybercrime group, began using Coronavirus themed emails to trick users into transferring funds. Researchers at Agari exchanged email messages with the threat actors as part of an ongoing BEC scam investigation.…

Read more →

University Brno Hospital in the Czech Republic was forced to close its doors on Friday after a cyberattack struck. This is quite unfortunate as the hospital was one of the larger testing centers for COVID-19 in the country and the…

Read more →

On March 4th, Avast antivirus was alerted to a vulnerability in its JavaScript emulation engine by researcher Tavis Ormandy. Just a few days later, Ormandy released a tool on GitHub that made analyzing the engine easier. Avast’s JavaScript engine ran…

Read more →

Microsoft released an emergency security patch on March 12th to correct a critical vulnerability in Server Message Block (SMB) version 3, which is used for file sharing and other core network capabilities in Windows 10 and Windows Server 2019. Attackers…

Read more →

The online service provider Open Exchange Rates announced this week that they have suffered a data breach. Open Exchange Rates provides a service used by a number of large companies that allows them to look up currency exchange rates. The…

Read more →

Turla: Researchers from ESET have discovered a new watering hole attack being carried out by Turla targeting several high-profile Armenian websites. Turla is a well-known Russian espionage group that has been tracked for over ten years; researchers stated that several aspects…

Read more →

Due to COVID-19, Otterbein University and many others in the state of Ohio have decided to shift to all online classes. Shortly after this was announced by the university, a malware attack struck their network. University officials do not have…

Read more →

Researchers from Kaspersky have discovered a new malware, dubbed Cookiethief, that uses a combination of exploits that gain root access, then steal Facebook cookies from Android devices. Cookies are small pieces of data that are used to track and identify…

Read more →

The FBI has arrested Russian national Kirill Victorovich Firsov for his role in the operation of the criminal eCommerce sire deer[dot]io. Deer[dot]io operated similarly to legitimate eCommerce platforms like Shopify, which allows users to create and operate their own shops…

Read more →

Researchers from Reason Labs reported that attackers are designing websites that display updated maps of the spread of Coronavirus. The websites prompt viewers to download and run a Windows application to keep up to date on the latest information, but…

Read more →

Microsoft has released a security advisory for a remote code execution vulnerability recently discovered with SMBv3, the protocol commonly used within businesses for file sharing. To exploit an SMB server, an unauthenticated attacker only needs to send a specially crafted…

Read more →

Manheim Auctions, Australia’s largest car auction house, released a statement that it was the victim of a month-long cyber-attack and has now received a $30 million-dollar ransom note to remove the infection from its over 1000 servers and decrypt the…

Read more →

Unknown: Cybereason, a cybersecurity firm, published a report describing a new version of the Remote Access Trojan njRAT being distributed through trojanized hacking tools by an unidentified threat group. The group has attempted to gain backdoor access to the computers…

Read more →

On Monday, the ENTSO-E confirmed that its IT network had been intruded into. Fortunately, the office network that was compromised did not have connections to any operational electric transmission system, which means the attack only affected IT systems and not…

Read more →

Communications & Power Industries (CPI), a major electronics manufacturer for defense contracts, has confirmed that they were the victim of a ransomware attack. The company fell victim to ransomware in mid-January and opted to pay the ransom of $500,000 but…

Read more →

As part of their Patch Tuesday schedule, Microsoft recently released updates for a remote code execution vulnerability affecting Exchange 2010, 2013, 2016 and 2019 (CVE-2020-0688). Two weeks after a patch was released, Trend Micro’s Zero Day Initiative released a blog…

Read more →

Over the past weekend, the city of Durham, North Carolina was the victim of a ransomware attack and had to shut down a significant portion of its network. According to a statement from officials, Durham “temporarily disabled all access into…

Read more →

Virgin Media, a leading cable operator in the UK and Ireland, announced today that the personal information of roughly 900,000 customers was accessed without permission. According to an ongoing investigation, a misconfigured and unsecured marketing database has been publicly accessible…

Read more →

Orsegups Participacoes, a Brazilian physical security company, exposed over 25GB of files through an unsecured Amazon Simple Storage Service (S3) bucket. The documents stored on the server included tax documents, receipts, payment slips, and a series of invoices for clients,…

Read more →

On March 5th, a functional exploit for an unpatched vulnerability in ManageEngine Desktop Central was published by security researcher Steven Seely. The exploit allows attackers to upload files and remotely run commands with SYSTEM permissions, without any authentication required. Desktop…

Read more →

While the method of distributing malware by making it look like a real software update is not new, threat actors are using a new twist to this method, trying to pass off the Buerak and Mokes malware on compromised sites…

Read more →

Discovered and identified last year as CVE-2019-0090, a bug in Intel’s Converged Security and Management Engine (CSME) could grant attackers access to the Chipset Key, which is the root cryptographic key that can be used to access everything on a…

Read more →

On March 2nd, legal reporter Bob Ambrogi shared that Epiq Global, a legal services company, recently took their systems offline globally in response to a security incident. A source for BleepingComputer revealed that the incident began with a TrickBot infection…

Read more →

T-Mobile announced yesterday news of a security breach that affects both customers and employees. According to the statement made by T-Mobile, an attacker targeted their email vendor which allowed for unauthorized access to “certain T-Mobile employee mail accounts.”  The compromised…

Read more →

Let’s Encrypt, the non-profit certificate authority, recently found a bug in their Boulder software that is causing over three million TLS certificates to be revoked. The bug was causing certificates to not be validated correctly by the Certificate Authority Authorization…

Read more →

Secure and complete backups are the primary defense once a system gets infected with ransomware. If the cloud backups are not configured properly, they can be used against the victim. Security researcher Lawrence Abrams recently reached out to the DoppelPaymer…

Read more →

China: The Chinese cybersecurity firm Qihoo released a report accusing the CIA (Central Intelligence Agency) of being behind multiple cyber-attacks targeting Chinese entities. Targets of the attacks were located in Beijing, Guangdong, and Zhejiang and dealt with a range of…

Read more →

Several WordPress plugins, some installed on hundreds of thousands of sites, are currently under active attack. This represents an increase in attacks on WordPress sites compared to the last few months. While many of the exploit attempts targeted recently patched…

Read more →

On March 2nd, 2020, Have I Been Pwned (HIBP) sent out breach notifications relating to credentials found on a server referenced by IP address, instead of Pastebin or other paste sites. Since this was an unusual breach notification, Binary Defense’s…

Read more →

DoppelPaymer: Last week the ransomware threat group DoppelPaymer posted to their Twitter account that data from Tesla, Boeing, Space-X, and Lockheed Martin would be posted to DoppelPaymer’s website soon. Their Twitter account has since been suspended but their websites on…

Read more →

Under the Breach researchers first reported the news that the Sodinokibi (also known as REvil) ransomware group were threatening to release around 60,000 customer-related documents and nearly 70,000 financial and work documents allegedly stolen from the company Kenneth Cole. The…

Read more →

TA505: The Russian speaking threat actor TA505 spent most of the 2019 year targeting banks in South Korea according to the researchers from the Financial Security Institute. Utilizing malicious attachments and ransomware, TA505 carried out phishing campaigns against South Korean…

Read more →

On January 15, 2020, the popular drugstore chain Walgreens discovered an error within their mobile app that allowed some personal messages from Walgreens to be viewable by other users of the app. Some of the affected messages included health-related messages–including…

Read more →

A new forum post by the Sodinokibi operators show they are doubling down on their efforts to coerce victims into paying the ransom. Although the group had already begun to follow in the footsteps of others by posting stolen data,…

Read more →

This week, the security company Transmit Security notified their customers that the firm had suffered a data breach. The breach included information for over one thousand accounts, including email addresses, passwords, phone numbers, and “other sensitive information” according to the…

Read more →